1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79

General
Target

1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe

Filesize

460KB

Completed

23-09-2021 07:14

Score
6 /10
MD5

3b6f38ea6928bca0be7ce6cf39ec8959

SHA1

5ea0766825327580776bc88add0e9267d97965e5

SHA256

1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79

Malware Config
Signatures 7

Filter: none

Defense Evasion
Discovery
Persistence
  • Adds Run key to start application
    1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\gjkE = "\"C:\\Users\\Admin\\AppData\\Roaming\\gjkE.exe\""1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
  • Suspicious use of SetThreadContext
    1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3128 set thread context of 286031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe

    Reported IOCs

    pidprocess
    3272powershell.exe
    3272powershell.exe
    3156powershell.exe
    3156powershell.exe
    3156powershell.exe
    1292powershell.exe
    1292powershell.exe
    1292powershell.exe
    2508powershell.exe
    2508powershell.exe
    2508powershell.exe
    3680powershell.exe
    3680powershell.exe
    3680powershell.exe
    3996powershell.exe
    3996powershell.exe
    3996powershell.exe
    360powershell.exe
    360powershell.exe
    360powershell.exe
    1844powershell.exe
    1844powershell.exe
    1844powershell.exe
    1436powershell.exe
    1436powershell.exe
    1436powershell.exe
    2104powershell.exe
    2104powershell.exe
    2104powershell.exe
    31281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    31281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
  • Suspicious behavior: GetForegroundWindowSpam
    1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe

    Reported IOCs

    pidprocess
    28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3272powershell.exe
    Token: SeDebugPrivilege3156powershell.exe
    Token: SeDebugPrivilege1292powershell.exe
    Token: SeDebugPrivilege2508powershell.exe
    Token: SeDebugPrivilege3680powershell.exe
    Token: SeDebugPrivilege3996powershell.exe
    Token: SeDebugPrivilege360powershell.exe
    Token: SeDebugPrivilege1844powershell.exe
    Token: SeDebugPrivilege1436powershell.exe
    Token: SeDebugPrivilege2104powershell.exe
    Token: SeDebugPrivilege31281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeDebugPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: 3328601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeIncBasePriorityPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: 3328601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeIncBasePriorityPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: 3328601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeIncBasePriorityPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: 3328601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeIncBasePriorityPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: 3328601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeIncBasePriorityPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: 3328601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeIncBasePriorityPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: 3328601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeIncBasePriorityPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: 3328601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeIncBasePriorityPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: 3328601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    Token: SeIncBasePriorityPrivilege28601a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
  • Suspicious use of WriteProcessMemory
    1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3128 wrote to memory of 327231281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 327231281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 327231281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 315631281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 315631281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 315631281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 129231281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 129231281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 129231281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 250831281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 250831281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 250831281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 368031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 368031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 368031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 399631281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 399631281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 399631281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 36031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 36031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 36031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 184431281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 184431281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 184431281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 143631281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 143631281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 143631281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 210431281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 210431281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 210431281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exepowershell.exe
    PID 3128 wrote to memory of 286031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    PID 3128 wrote to memory of 286031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    PID 3128 wrote to memory of 286031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    PID 3128 wrote to memory of 286031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    PID 3128 wrote to memory of 286031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    PID 3128 wrote to memory of 286031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    PID 3128 wrote to memory of 286031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    PID 3128 wrote to memory of 286031281a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
Processes 12
  • C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    "C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe"
    Adds Run key to start application
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3272
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3156
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3680
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3996
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:360
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1436
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
      C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2860
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe.log

                      MD5

                      4a30a8132195c1aa1a62b78676b178d9

                      SHA1

                      506e6d99a2ba08c9d3553af30daaaa0fc46ae4be

                      SHA256

                      71636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20

                      SHA512

                      3272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09

                    • memory/360-223-0x0000000007382000-0x0000000007383000-memory.dmp

                    • memory/360-211-0x0000000000000000-mapping.dmp

                    • memory/360-222-0x0000000007380000-0x0000000007381000-memory.dmp

                    • memory/1292-147-0x0000000000000000-mapping.dmp

                    • memory/1292-156-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                    • memory/1292-157-0x0000000004AA2000-0x0000000004AA3000-memory.dmp

                    • memory/1436-245-0x0000000000000000-mapping.dmp

                    • memory/1436-256-0x0000000007300000-0x0000000007301000-memory.dmp

                    • memory/1436-258-0x0000000007302000-0x0000000007303000-memory.dmp

                    • memory/1844-240-0x00000000070C0000-0x00000000070C1000-memory.dmp

                    • memory/1844-241-0x00000000070C2000-0x00000000070C3000-memory.dmp

                    • memory/1844-229-0x0000000000000000-mapping.dmp

                    • memory/2104-273-0x0000000006920000-0x0000000006921000-memory.dmp

                    • memory/2104-274-0x0000000006922000-0x0000000006923000-memory.dmp

                    • memory/2104-261-0x0000000000000000-mapping.dmp

                    • memory/2508-172-0x0000000007380000-0x0000000007381000-memory.dmp

                    • memory/2508-163-0x0000000000000000-mapping.dmp

                    • memory/2508-173-0x0000000007382000-0x0000000007383000-memory.dmp

                    • memory/2860-293-0x00000000053C0000-0x00000000053C1000-memory.dmp

                    • memory/2860-286-0x000000000040C26E-mapping.dmp

                    • memory/3128-119-0x0000000004CF0000-0x00000000051EE000-memory.dmp

                    • memory/3128-116-0x00000000051F0000-0x00000000051F1000-memory.dmp

                    • memory/3128-118-0x0000000004C10000-0x0000000004C11000-memory.dmp

                    • memory/3128-114-0x0000000000370000-0x0000000000371000-memory.dmp

                    • memory/3128-117-0x0000000004C30000-0x0000000004C31000-memory.dmp

                    • memory/3156-142-0x0000000007880000-0x0000000007881000-memory.dmp

                    • memory/3156-144-0x0000000007B50000-0x0000000007B51000-memory.dmp

                    • memory/3156-141-0x0000000002A72000-0x0000000002A73000-memory.dmp

                    • memory/3156-131-0x0000000000000000-mapping.dmp

                    • memory/3156-140-0x0000000002A70000-0x0000000002A71000-memory.dmp

                    • memory/3156-143-0x00000000078D0000-0x00000000078D1000-memory.dmp

                    • memory/3272-128-0x00000000073A0000-0x00000000073A1000-memory.dmp

                    • memory/3272-123-0x0000000004870000-0x0000000004871000-memory.dmp

                    • memory/3272-124-0x0000000007470000-0x0000000007471000-memory.dmp

                    • memory/3272-125-0x0000000006E30000-0x0000000006E31000-memory.dmp

                    • memory/3272-126-0x0000000006E32000-0x0000000006E33000-memory.dmp

                    • memory/3272-127-0x0000000007300000-0x0000000007301000-memory.dmp

                    • memory/3272-130-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

                    • memory/3272-129-0x0000000007C80000-0x0000000007C81000-memory.dmp

                    • memory/3272-120-0x0000000000000000-mapping.dmp

                    • memory/3680-179-0x0000000000000000-mapping.dmp

                    • memory/3680-189-0x0000000006F90000-0x0000000006F91000-memory.dmp

                    • memory/3680-191-0x0000000006F92000-0x0000000006F93000-memory.dmp

                    • memory/3996-195-0x0000000000000000-mapping.dmp

                    • memory/3996-207-0x0000000007162000-0x0000000007163000-memory.dmp

                    • memory/3996-206-0x0000000007160000-0x0000000007161000-memory.dmp